;Goal: Let's prepare for a full repeal of the CFAA and replacement with sane law.

+

;Goal: Let's decsribe what a full repeal & replacement of the CFAA[http://www.law.cornell.edu/uscode/text/18/1030] should look like.

;Questions: How would we construct good law in these areas, from scratch?

;Questions: How would we construct good law in these areas, from scratch?

: How do different areas of law, policy, and internet governance view the law and its impact?

: How do different areas of law, policy, and internet governance view the law and its impact?

Line 66:

Line 66:

What substantive things should be in a rational computer crime law?

What substantive things should be in a rational computer crime law?

−

−

=== Positive principles ===

−

(''see the draft'')

; Parallelism with non-computer crime law

; Parallelism with non-computer crime law

Line 74:

Line 71:

; Proportionate punishment

; Proportionate punishment

−

−

=== Negative principles ===

; Avoid confusion/overlap between different parts of the government : in terms of means and ways

; Avoid confusion/overlap between different parts of the government : in terms of means and ways

* b/t different parts of the government

* b/t different parts of the government

Line 88:

Line 83:

** we feel as though there is sufficient persistent identity in the community that even pseudonymous hackers care about their reputations.

** we feel as though there is sufficient persistent identity in the community that even pseudonymous hackers care about their reputations.

−

* '''focus on bad ''access'', leave ''use'' to other laws''' - laws on copyright, trade secret, identity theft, espionage, extortion, and fraud govern most of the "scary" use cases.

+

* '''Focus on bad ''access'', leave ''use'' to other laws''' - laws on copyright, trade secret, identity theft, espionage, extortion, and fraud govern most of the "scary" use cases.

** In this way, we are leaving the "hats" (black/white/grey/green) discussion for the community norms or existing law.

** In this way, we are leaving the "hats" (black/white/grey/green) discussion for the community norms or existing law.

* '''Consent should always be a defense''' - server owners ask members of the public to do some weird stuff against their systems, but as long as they ask for it, it should never be a crime to access one's computer in that way.

* '''Consent should always be a defense''' - server owners ask members of the public to do some weird stuff against their systems, but as long as they ask for it, it should never be a crime to access one's computer in that way.

−

* As to code-based vulnerabilities and authentication measures, '''some level of technical effectiveness should be considered.''' A "reasonable" standard may not be appropriate, as defining what is "reasonable" may lead to unnecessary confusion. But some consideration should be made to ensure that trivially-overcome measures are not considered within the scope.

+

* '''Consider technical effectiveness of site design''' for its intended use. For code-based vulnerabilities and authentication measures, a "reasonable" standard may not be appropriate: defining what is "reasonable" may lead to unnecessary confusion. But some consideration should be made to ensure that trivially-overcome measures are not within the scope.

==== What should be unlawful ====

==== What should be unlawful ====

−

* '''hold the party intending to do the bad behavior culpable''' - don't track liability to a person whose computer was unwittingly used to commit the crime.

+

* '''Setting up and triggering an exploit''' - even if it was not done on that person's computer. Hold the party intending to do the bad behavior culpable. [ex: sharing a tinyurl that carries out a sql-injection]

−

* '''Circumvention of a code-based authentication measure''' should be unlawful (leaving proportionality for another discussion). This includes cracking, password guessing, or human-engineering password disclosure.

+

* '''Circumvention of a code-based authentication measure''' - leaving proportionality for another discussion. This includes cracking, password guessing, or human-engineering password disclosure.

+

*: Once we get to this set of actions, we're in fraud-land. [this still shouldn't be penalized more than non-electronic fraud]

* '''Exploiting a code-based vulnerability to obtain information''' should be unlawful (leaving proportionality for another discussion). We are thinking of things like a SQL injection hack.

* '''Exploiting a code-based vulnerability to obtain information''' should be unlawful (leaving proportionality for another discussion). We are thinking of things like a SQL injection hack.

−

* '''Knowingly deleting or impairing the integrity of the work''' should be unlawful if done intentionally or recklessly. Moving down to negligence or strict liability at a certain damage threshold is harder to say.

+

* '''Knowingly deleting or impairing the integrity or availability of the data''' should be unlawful if done intentionally or recklessly. Moving down to negligence or strict liability at a certain damage threshold is harder to say.

==== Uncertain areas ====

==== Uncertain areas ====

−

* '''penetration testing''' is squishy - an open call for bug bounties should be treated like consent to access the site (again, using laws govern bad uses)

+

* '''Penetration testing''' is squishy. An open call for bug bounties should be treated as consent to access the site (again, using other laws to govern bad uses)

−

+

−

* '''"accidentally open" sites are squishy''' - e.g., sites that were supposed to be behind an authentication layer but are not. To a certain extent, it may be best to place the fault of this onto the coder of the site, with the comfort that certain uses by the obtainer of information may still be unlawful.

+

+

* '''"Obtaining information from accidentally-open" sites''' is squishy. E.g., sites that were supposed to be behind an authentication layer but are not. To a certain extent, it may be best to place the fault of this onto the coder of the site, with the comfort that certain uses by the obtainer of information may still be unlawful.

=== Open questions ===

=== Open questions ===

Line 125:

Line 120:

: This tends to be pretty bad. It's clearly defeating the system, when it requires finding a subtle exploit

: This tends to be pretty bad. It's clearly defeating the system, when it requires finding a subtle exploit

: Can be less bad when a system has an auth system but doesn't use it (e.g. it's never checked)

: Can be less bad when a system has an auth system but doesn't use it (e.g. it's never checked)

The CFAA was developed over time as a merger of ~7 different areas of law. It has developed in an aggregate way, and few groups are happy with the current law. It is so broad that prosecutors like it because they can use it to force plea bargains, since it applies to almost everything in its sphere of action (relying on prosecutorial judgement).

Different parts of the story: National defense, cyber war, data sec, corporate law, contracts online. Authorization based on code, contract, social norms. Legal frameworks used to push political means. Career standards for prosecutors defined in political ways.

"Advanced technical crime" -- The deployment of the SS was a bit peculiar; but they were the only fed. agents trained in what they were looking for.

Civil rights concerns

Part of the prosecution that was particularly troubling: at one point in the invest., it felt that they were keeping the prosecution going b/c they'd spent so much time bringing it along. There was no will from victims to keep it going, and not necc. any other desire, but the prosecutors for their own reason wanted conclusion.

Scope should be limited - the law should not run to the boundary of what we find ethical or moral. We want people to have freedom to "mess around" with the web (perhaps with some negligence-based liability if they cause actual damage). As with media law and "bad journalism", copyright and "plagiarism," the law should leave the edge cases for the community to set up a moral/normative/shame-oriented punishment scheme.

we feel as though there is sufficient persistent identity in the community that even pseudonymous hackers care about their reputations.

Focus on bad access, leave use to other laws - laws on copyright, trade secret, identity theft, espionage, extortion, and fraud govern most of the "scary" use cases.

In this way, we are leaving the "hats" (black/white/grey/green) discussion for the community norms or existing law.

Consent should always be a defense - server owners ask members of the public to do some weird stuff against their systems, but as long as they ask for it, it should never be a crime to access one's computer in that way.

Consider technical effectiveness of site design for its intended use. For code-based vulnerabilities and authentication measures, a "reasonable" standard may not be appropriate: defining what is "reasonable" may lead to unnecessary confusion. But some consideration should be made to ensure that trivially-overcome measures are not within the scope.

Setting up and triggering an exploit - even if it was not done on that person's computer. Hold the party intending to do the bad behavior culpable. [ex: sharing a tinyurl that carries out a sql-injection]

Circumvention of a code-based authentication measure - leaving proportionality for another discussion. This includes cracking, password guessing, or human-engineering password disclosure.

Once we get to this set of actions, we're in fraud-land. [this still shouldn't be penalized more than non-electronic fraud]

Exploiting a code-based vulnerability to obtain information should be unlawful (leaving proportionality for another discussion). We are thinking of things like a SQL injection hack.

Knowingly deleting or impairing the integrity or availability of the data should be unlawful if done intentionally or recklessly. Moving down to negligence or strict liability at a certain damage threshold is harder to say.

Penetration testing is squishy. An open call for bug bounties should be treated as consent to access the site (again, using other laws to govern bad uses)

"Obtaining information from accidentally-open" sites is squishy. E.g., sites that were supposed to be behind an authentication layer but are not. To a certain extent, it may be best to place the fault of this onto the coder of the site, with the comfort that certain uses by the obtainer of information may still be unlawful.